I know that codeigniter stores it’s sessions as a cookie, which, from reading around I understand to be somewhat insecure. So… I am planning to enable database storage for sessions, which I believe:
a) Is safer?
b) Allows you to store more data than the 4kb limit offered by cookies?
However on the flipside I guess this will be slower for the system to retrieve, for example, in my application I regularly want to query the session data to determine if a user is logged in.
Is is a good idea to store sessions in the database, or will this slow down my app considerably?
Any other ideas or suggestions regarding sessions and cookies would be most appreciated.
Well, that is true and false. CodeIgniter can be configured to store its data on a DB, but it can encrypt the cookies before storing them on the client. It also MD5’s the cookies contents to ensure data integrity (basically if the Cookie’s MD5 doesn’t match correctly, then it is rejected). So while by default it is possible to edit the cookies, it is more than annoying to do so.
Personally, I generally prefer to store session level data in the $_SESSION and have modified my session object to allow me to do that. I also make the PHPSESSID variable a good deal more complicated.
As to your question, “Is it a good idea to store sessions in the database”, well, that depends on how fast your database is and what your memory requirements are. It could slow things down or it could, conceivably, speed things up based on configurations et al.